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Abstract 

A privacy-preserving English auction protocol with round efficiency based on a modified ring 
signature has been proposed in this paper. The proposed protocol has three appealing character- 
istic: First, it offers conditional privacy-preservation: on the one hand, the bidder is anonymous 
to the public, on the other hand, only the collaboration of auctioneer and registration manager can 
reveal the true identity of a malicious bidder. Second, it does not require to maintain a black list 
which records the evicted malicious bidders. Finally, it is efficient: it saves the communication 
round complexity comparing with previously proposed solutions. 

Keywords: 

English auction; Conditional anonymity; Round efficiency; Ring signature 



1. Introduction 

Electronic auctions are a very popular trading method for determining a customer and the 
sale price II 1 711 . They are not only widespread mechanisms to sell goods, but have also been 
shown applicable to task assignment, scheduling, or finding the shortest path in a network with 
selfish nodes |@]. According to the goals and decision strategies, the electronic aucti on p rotocols 
can be categorized into the sealed-bid auction |22, Kjl 33], the English auction Il4lll7ll . and the 



(M + l)st-price auction J2,0]. In an English auction, each bidder offers the higher price one by 
one, and finally a bidder who offers the highest price gets the desired goods. It is noted that all bid 
values are published and any bidder easily knows the price position of goods in English auction. 
Therefore, a bidder has the dominant strategy for bidding, which places a little higher than a 
current bid value. In this way, the competition principle well works and the winning bid value 
reflects a market price. This is why an English auction is the most familiar style of auctions. 
Therefore, this study focuses on the English auction protocol, bringing up related issues and 
methods. 

Privacy is a crucial issue in designing the auction protocols. A major reason why people 
may be hesitant to participate in auction protocol themselves, is the worry that too much of their 
private information is revealed. Furthermore, in the modern electronic society, the information 
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might get propagated to large numbers of parties, stored in permanent databases, and automat- 
ically used in undesirable ways. To solve this problem, we study the possibility of designing 
the English auctions with communication round efficiency in a way that preserves the bidders' 
privacy. Franklin and Reiter [16] were among the first researchers to address electronic auction 
with bid privacy. They covered many problems such as secret sharing, digital cash and multi- 
cast as well as their own primitive technique called verifiable signature sharing. Their protocol 
successfully prevents a single auctioneer from altering a bid or throwing an auction to a single 
bidder. Unfortunately, in their protocol, all bids will be disclosed to all auctioneers after the auc- 
tion is closed. Kikuchi et al. 12011 attempted to deal with such problems through secret sharing 
techniques, but Sako 1 28] pointed out that several problems still remain in their work. Also, there 
are protocols where bidders themselves jointly compute the auction outcome without relying on 
trusted third parties at all The main advantage of these protocols is that they are fully 

private, i.e., when relying on computational intractability assumptions, no coalition of parties is 
capable of breaching privacy. The drawbacks implied by such a model are low robustness and 
relatively high computational and communication complexity. Chang et al. Ill 211 and Jiang et 
al. 11 811 proposed anonymous electronic auction protocols based on the deniable authentication. 
Nevertheless, in these protocols, the auctioneer must verify the identity and bid price of all bid- 
ders one by one during the bidding stage to ensure the legality of a bidder and the integrity of the 
bid price. So these protocols will pose a heavy computation overhead for the server at the auc- 
tioneer's end. Omote et al. 11251 12611 initially proposed electronic English auction which realize 
both anonymity of bidders and traceability by employing bulletin boards. However, their method 
does not publicize bidder information because publishing such information compromises privacy, 
including anonymity, fairness and non-linkability among various auction rounds, etc. Sakurai et 
al. OOTl . Nguyen et al. [24] and Lee et al. [22] proposed anonymous and non-repudiate auction 
protocols based on group signature respectively. Although they realized the privacy-preserving 
auction protocol efficiently, the auction manager have to maintain a black list, which is the list 
of participants that have their memberships revoked. Hence, each bidder has to spend additional 
time on verifying whether the other bidders had been revoked or not. Furthermore, when the 
number of revoked members in the black list is larger than some threshold, the protocol requires 
every remaining bidder to renew their secret membership key and updating public information. 
To solve this problem, Xiong et al. [33] proposed an anonymous auction protocol based on the 
ring signature, where the bidder can be easily removed from the system. Whereas, taking round 
efficiency into consideration, Xiong et al.'s protocol is much more costly than the previously 
protocols. 

In this paper, we propose an English auction protocol with privacy-preserving based on re- 
vocable ring signature 12311 . In addition to satisfy the above properties, our protocol has the 
following unparalleled features: (a) The proposed protocol can efficiently evict the malicious 
bidder instead of maintaining the black list or updating the public information; (b) Our protocol 
has low round communication complexity. 

The remainder of this paper is organized as follows. The next section presents background 
information related to English auction protocol. Section|3]details the proposed auction protocol, 
followed by the security analysis and the performance analysis in Section|4] Section[5]concludes 
this paper. 
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2. Preliminaries 



2.1. Desired requirements 

Recently, the need for privacy has been a factor of increasing importance in auction de- 
sign and various schemes to ensure the safe conduction of English auctions have been proposed 
H0 [II [13, [B 03 III Meanwhile, any bid does not allow to 



be canceled in the case of English auction. Because the highest bid may be insignificant if a bid 
can be canceled in an English auction. Therefore, in an electronic English auction, it is the most 
important to satisfy the following two properties simultaneously: (a) Anonymity and (b) Trace- 
ability. Although any bidder can participate anonymously, it is necessary to identify a winner 
after the bidding phase without winner's help. This means that every bid placed in an English 
auction must be authorized while maintaining anonymity. In the following, we summarize the 



requirements of electronic auction from the researches of Chen lll3ll . Chang and Chang [ 12Q, and 
Chung et q/ J14ll . and Omote and Mivaiil25 U26ll : 

1. Anonymity: Nobody including the authority itself can identify the losing bidders even 
after the opening phase. 

2. Traceability: The cooperation of registration manager (AM) and auction manager (RM) 
can identify the malicious bidder. In this way, the malicious bidder will be removed from 
the system. Note that an electronic auction has mainly two entities, the RM who treats the 
registration of bidders, and the AM who holds auctions. 

3. Unforgeability: Nobody can impersonate a certain bidder. 

4. Fairness: all bids should be fairly dealt with. 

5. Public verifiability: Anybody can publicly verify that a winning bid is the highest value of 
all bids and publicly confirm whether a winner is valid or not. 

6. Unlinkability among plural auctions: nobody can link the same bidders bids among plural 
auctions. 

7. Robustness: Even if a bidder sends an invalid bid, the auction process is unaffected. 

8. One-time registration: any bidder can participate in plural auctions by only one-time reg- 
istration. 

9. Efficiency: The protocol should be efficient from the viewpoints of computation and com- 
munication. 



2.2. Bilinear Maps 

Since bilinear maps work of composite order as the basis of our proposed scheme in this 
paper, we briefly introduce the bilinear maps [5] in this section. Let n be a composite with 
factorization n = pq. We have 

• G is a multiplicative cyclic group of order n; 

• G p is its cyclic order-/? subgroup, and G q is its cyclic order-g subgroup; 

• g is a generator of G, while h is a generator of G q ; 

• Gt is a multiplicative group of order n; 

• e : G x G — > Gt is an efficiently computable map with the following properties: 
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- Bilinearity: For all u, v e G, and a, b e Z, e(w fl , = e(u, v) ab . 

- Non-degeneracy: e(g,g) = Gt whenever < g >= G. 

• &T.p and Gr,q are the G^-subgroups of order p and q, respectively; 

• the group operations on G and Gr can be performed efficiently; and 

• bitstrings corresponding to elements of G and of Gt can be recognized efficiently. 

2.3. Ring signature 



Ring signature, introduced by Rivest, Shamir and Tauman [27], is characterized by two main 
properties: anonymity and spontaneity. Anonymity in ring signature means 1-out-of-n signer 
verifiability, which enables the signer to keep anonymous in these "rings" of diverse signers. 
Spontaneity is a property which makes distinction between ring signatures and group signatures 
iflll 0] • Group signature allows the anonymity of a real signer in a group to be revoked by 
a trusted party called group manager. It also gives the group manager the absolute power of 
controlling the formation of the group. Ring signature, on the other hand, does not allow anyone 
to revoke the signer anonymity, while allowing the real signer to form a group (also known as 
a ring) arbitrarily without being controlled by any other party. Since Rivest el al.'s, scheme, 
many ring signature schemes have been proposed 01 [511 15]. Inspired by the compact 



group signature lllOll . Shacham and Waters 12311 proposed an efficient ring signature, which can 
be proved secure in the standard model. Also inspired by the group signature llOll . we remark 
that the anonymity in this ring signature can be revoked by the trusted authority in the same way 
like [10]. That is to say, the signature allows a real signer to form a ring arbitrarily while allowing 
a trusted authority to revoke the anonymity of the real signer. In other words, the real signer will 
be responsible for what is has signed as the anonymity is revocable by authorities while the real 
signer still has the freedom on ring formation. In this paper, we propose a conditional privacy- 
preservation English auction protocol with round efficiency based on this modified ring signature 



scheme in [23]. 



3. The proposed English auction protocol 

This section describes in detail our efficient privacy-preserving auction protocol. In a high 
level description, the auction system works as follows. To enrol in the system, each bidder con- 
tacts the registration manager and registers his own public key and corresponding real identity. 
(Through this way, the key escrow problem will be solved. That is to say, the registration man- 
ager can't frame an innocent bidder by forging the bidder's signature). After confirming the 
validity of bidder's identity and public key, registration manager will publish the public key of 
the bidder on the Bulletin Board System (BBS). Each bidder collects the public keys of other 
bidders from BBS managed by registration manager. Then for each auction, a bidder can bid a 
value by generating a ring signature on the bid on behalf of this set of public keys. (We remark 
that the bidder's public key must be included in this set of public keys). At the deadline, the 
identity of the bidder, who posts the highest bid, is retrieved using the revocation procedure. 
Bidder privacy is protected due to the anonymity and unlinkability properties of the underlying 
ring signature scheme. 

The proposed scheme includes the following four phases: Initial phase, Bidding phase, Win- 
ner announcement phase, and Opening protocol. The notations used throughout this paper are 
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listed in Table Q] Let B = [B\, ■ ■ ■ ,B{\ be a set of / bidders who take part in an auction and offer 
a price. Let RM be Registration Manager who manages the participants of auctions and AM be 
Auction Manager who holds an auction and opens the real identity of the bidder with RM. We 
assume that these two authorities RM and AM do not collude together. Figure Q] illustrates the 
auction procedure. 



Table 1: Notations 



Notations 


Descriptions 


RM: 


Registration Manager who manages the participants of auctions by 




controlling the BBS. 


AM: 


Auction Manager who publishes {A, Bo, A, u', u\, ■ • ■ , u^} and keeps 




the tracing key q e Z secret. 


Br. 


bidder who has its own secret key pkj = g*> and public key ski - A Xi , 




where Xj e« Z„ 


IDj : 


The real identity of the bidder B, 


S = {pk u ---,pk,} 


/ public key of corresponding bidders 


Mi : 


A bid generated by the bidder B, 


m-) ■■ 


A hash function such as "Hi : {0, 1 }* — > Z„ 


m-) ■■ 


A hash function such as : (0, 1}* -> {0, 1}* 


a II b 


String concatenation of a and b 



Bi 



Initial Phase 



AM 



1 .publish { A,B ,A,u',Uj ; . . . ^ } ,H l , H 2 



2. {pk t , ID f , a, , b f }, where a t = H { (g' ! \ \ ID 1 ), b t = (t t + x t ■ a, ), ?, G fl Z„ 



Bidding Phase 




3M i ,cj i ={{S„S 2 \{C p K j } 1 j __ l ) 



RM 



Winner announcement Phase 



4. publish (M ,g ) 

r •^"•"j \ winner' winner ' 



Opening Phase 



5.pk ; , 



6.(pk.,,ID.,) 



Figure 1 : English Auction procedure based on Ring signature 
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3.1. Initial phase 

Prior to the bidding phase, the AM sets up the system parameters and publishes it as follows: 
The AM first constructs a group G of composite order n — pq as described in section 12.21 
above. It then chooses exponents a, bo e# Z„ and sets A = g" and Bq = g b ° and A = h". 
Let r H\ : {0, 1 }* — » Z„ and Hi : {0, 1 }* — > {0, 1 } k be two collision-resistant hash functions 
respectively. The AM picks hash generators u' , u\, e« G. The published parameters 

includes a description of the group G and of the collision-resistant hash functions f H\,'Hi, along 
with (A, Bo, A) and («', u\, ■ • • , Uk). Note that the auction manager AM's tracing key is q e Z. 

After receiving the public parameters from the AM, the RM is in charge of checking the 
bidders' public key and identity as follows: 

• The bidder B, first chooses x, Z„; sets pk; = g Xi e G as its private key, and ski = A x > e G 
as its public key. 

• Bj randomly selects an integer f, Z„ to determine the verification information of pkf. 
a-, - Hiig' 1 || ID,) and b; = (?,- + x,- • af). Then B, transmits {pk,, a,-, fe,-} to RM over a 
secure channel. 

• After receiving {pk,, ID/, a,, bj\, RM confirms the validity of the bidder's identity and 
checks whether the following equation holds: 

a i = <H 1 ((g bl -pk- ai )\\ID i ) 

If it holds, then {pkj, /D,} is identified as the valid public key and identity. Otherwise, it 
will be rejected. After that, RM keeps the relation {pkj, IDj} secret and publishes pkj on 
the BBS. 

3.2. Bidding phase 

In one round of auction, bidder Bj signs his bid M, before sending it out. Suppose S = 
{pk\, ■ ■ ■ , pk\) is the set of public keys and it defines the ring of public keys. We assume that 
all public keys pki, 1 < i < I and their corresponding private keys ski's are generated by the 
corresponding bidders, and i* (1 < i* < I) is the index of the actual bidder. The signature 
generation algorithm S ig(S , skp, M,>) is carried out as follows. 

1. Compute 7Y2(M,.,5) = (mi, ■ • • ,?%). Define {/;}[ =1 as 

f 1, if/ = f; 
\ 0, otherwise. 

2. For each i, 1 < i < I, choose a random exponent e, e« Z„ and set C,- = (pki/Bor*h ei and 

I* = ((pki/Boff'-^y. 

3. Compute C = rj/=i ^' anc ^ e = 2/=i e '- 

4. Finally, choose r Z„ and compute S \ - sk t * ■ (u' Y[j=\ u" } ) r ■ A e and S 2 = g' '. 

The signature cr, of M, with respect to 5 is {(-Si.Si), {Cj>7rj}' =1 }. After generating the ring 
signature on his bid successfully, B, will sends {M,-, cr,} to the AM. 
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3.3. Winner announcement phase 

After the deadline, AM chooses the highest (or the most suitable) bid and runs the verify 
procedure. If the output is yes, AM accepts the bid as the winning bid. Otherwise, AM repeats 
the process for the remaining bids. The process of verifying the signature of bid is as follows: 

1. Compute H 2 (M,S) = (/«!,■•■, m k ). 

2. For each i, 1 < i < I, check whether e(C,-, Cilipkil Bq)) = e(/i,7r,) holds or not. If any of 
the Ci is invalid, reject. Otherwise, set C — ]~[;=i Q- Accept if the following equation is 
satisfied: e(A,B C) = e(S u g)e(S 'J 1 , u' Y\) =x uJ J ) 

Once a winning bid is determined, AM posts the bid of the winning bidder on the BBS along 
with the ring signature on this bid. 

3.4. Open protocol 

If Bj repudiates his bid or simply crashes, AM invokes the open protocol, which is two-party 
protocol between AM and RM for opening the real identity of the bidder. At the beginning of 
this protocol, AM checks the validity of the signature and then uses its tracing key q e Z and 
determines if 

(Cif ■ B = pk 

for some i, 1 < i < I. If the equation holds at, say when i = /*, then AM sends the pk? to RM. 

After receiving pkf, RM looks up the record (/?&,■., 7D,>) to find the corresponding identity 
ID? meaning that bidder with identity ID? is the real bidder. The RM then evicts bidder 7D,« 
from auction and pk? from BBS if this bidder is malicious. Otherwise, if this bidder wins the 
auction, RM will send (pkpJDj.) to the AM. 

4. Analysis 

The security and efficiency of auction protocol is analyzed in this section. It will be shown 
that the protocol is fair, publicly verifiable and achieves conditional privacy-preserving, unlinka- 
bility, and robust. 

4.1. Security Analysis 

Identity privacy preservation: There is no single authority who can break anonymity. 

Given a valid ring signature <x of some message, it is computationally difficult to identify the 
actual bidder by any participant in the system except the cooperation of RM and AM. If there 
exists an algorithm which breaks the signer anonymity of the construction in Section l3T2l then the 
Subgroup Hiding (SGH) assumption would be contradicted l23ll . Furthermore, only RM knows 
the relation between the pk-, and bidder's real identity ID,. So, only the cooperation of RM and 
AM can break the bidder's anonymity. 

Non-repudiation: No bidder can deny he had submitted his bid. 

Given the signature, the AM who knows the tracing key q, can trace the public key of a 
malicious bidder using the Dispute protocol described in section 13.41 Besides, the tracing pro- 
cess carried by the AM does not require any interaction with the malicious bidder. With the 
cooperation of RM, the real identity of the malicious bidder can be revealed. 
Unforgeability: In our protocol nobody can impersonate any other bidder to make a bid. 



7 



According to l23ll . the ring signature is unforgeable with respect to the insider corruption 
if Computational Diffie-Hellman (CDH) problem is hard. So, in our proposed scheme, the bid 
along with the ring signature can only be generated by the valid ring members. 
Fairness: Our protocol has fairness of bidder since the bidder is anonymous during the auction. 

Fairness of bidder in an electronic auction means that any bid is fairly accepted by AM. 
Generally, in an electronic English auction, fairness of bidder depends on AM. Our protocol can 
avoid unfairness, such as AM repudiates any bidding by a certain bidder, because the bidding is 
done anonymously. 

Public veriflability: It is public verifiable that the price of the successful bid is higher than any 
other bids. 

In our protocol, anyone can simulate the procedure to verify the validity of bids using the 
information on the BBS. Since all the information necessary to decide the auction result is pub- 
lished on the BBS, anyone can verify the auction result. 

Unlinkability among plural auctions: It is impossible to link the same bidder among plural 
auctions. 

Unlinkability is the basic property related to ring signature: two ring signatures issued by 
the same signer are unlinkable in any way, except the very fact that this signer appears in the set 
of public keys of both ring signatures III y, [l5l |2j, So nobody can link two signatures 
among plural auctions. 

Robustness: Malicious cheating and crashing can be recovered. 

Misbehavior takes place from time to time as a result of either intentional malicious be- 
haviors (e.g., attacks) or hardware malfunctioning. It is less difficult to prevent misbehavior of 
unauthorized users of auction protocols (i.e., outsiders) since legitimate users can simply ignore 
the messages injected by outsiders by means of authentication. This is one reason that we say 
ring signature is the building block of auction protocols. On the contrary, misbehavior of legiti- 
mate users of auction protocols (i.e., insiders) is more difficult and complex to prevent, the reason 
being that insiders possess the legitimate public/private key pairs to perform authentication with 
peer bidders who can be easily tricked into trusting the insiders. Consequently, the insiders' 
misbehavior will have much larger impact on the network and be more devastating. Fortunately, 
the opening phase can be employed to detect such misbehavior and misbehaving users will be 
evicted accordingly. 

One-time registration: Any bidder can take part in plural auctions as a valid bidder in one-time 
registration of public key, maintaining anonymity for RM, AM, and other bidders. 

Note that the honest bidder can get the public key of ring members (a set of bidders) required 
to generate the ring signature arbitrarily from the BBS without any interaction with any other 
bidders, RM or AM in the system. So, the honest bidder can take part in plural auctions in 
one-time registration. 



4.2. Efficiency Analysis 

In our protocol, the computational costs and communication overheads on AM and RM are 
not stringent since these entities are resource-abundant in nature. We are interested in the com- 
putational costs and communication overheads at bidders which are least powerful in our system. 
We use table|2]to show the performance analysis of our protocol and 1 3311 . For convenience, we 
define the following notations: T e (the time for one exponentiation computation); T m (the time 
for one modular multiplication computation); T, (the time for one inverse computation); 7), (the 
time for executing the adopted one-way hash function); Te„ c (the time for executing the encryp- 
tion function); Toec (the time for executing the decryption function). The parameter / and k are 
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used to denote the number of public keys in the generation of ring signature and the length of the 
output of hash function "7^2 respectively. It is obvious that our proposed protocol possesses the 
advantages of [33] due to the computation efficiencies and communication rounds. 



Table 2: The comparison of efficiency 





Xiong et al.'s schem[33] 


Our scheme 


Initial Phase 


'< + lEnc + Toec 


3T e + T h + T m 


Pre-Bidding Phase 


(31 - 2)T e + IT,, + (21 + l)T m 




Bidding Phase 


(31 - 2)T e + lT h + (21 + l)T m 


T h + (51 + k + 2)T e + (5l + k+ V)T m + 21T, 


Winner announcement Phase 


(3l-2)T e + lT h + (2l+l)T„, 




Rounds 


4 


2 



In addition, our protocol does not need to maintain a black list which is the list of evicted 
participants, different from the auction protocol based on group signature JMEHH. Further- 
more, our protocol does not require every remaining bidder to renew their secret membership 
key and updating public information. Thus, our protocol is more practical than 



5. Conclusions 

A privacy preserving English auction protocol with round efficiency based on a modified ring 
signature has been proposed in this paper. We demonstrate that proposed protocol does not only 
provide conditional privacy, a critical requirement in English auction protocols, but also able to 
improve efficiency in terms of communication round complexity and identity tracking in case of 
a dispute. Meanwhile, our proposed solution can achieve one-time registration: that is to say, the 
bidder can take part in plural auctions in one time registration. 
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